b"         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       EPA Needs to Improve\n       Physical Security at Its\n       Offices in Las Vegas, Nevada\n       Report No. 10-P-0059\n\n       February 3, 2010\n\x0cReport Contributors:                                Rudolph M. Brevard\n                                                    Charles M. Dade\n\n\n\n\nAbbreviations\n\nEPA           U.S. Environmental Protection Agency\nLVFC          Las Vegas Finance Center\nOIG           Office of Inspector General\nORD           Office of Research and Development\n\n\n\n\nCover photo: An EPA building in Las Vegas that is protected by a card reader system.\n             (EPA photo)\n\x0c                                                                                                                10-P-0059\n                       U.S. Environmental Protection Agency                                               February 3, 2010\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                                Catalyst for Improving the Environment\n\nWhy We Did This Review             EPA Needs to Improve Physical Security at Its\nThe Office of Inspector            Offices in Las Vegas, Nevada\nGeneral (OIG) sought to\n                                    What We Found\ndetermine whether the U.S.\nEnvironmental Protection\n                                   EPA needs to improve physical security at its Las Vegas facilities. The Las Vegas\nAgency (EPA) implemented\n                                   Finance Center\xe2\x80\x99s (LVFC\xe2\x80\x99s) server room and other key areas are susceptible to\noversight practices for securing\n                                   unauthorized access by personnel not a part of LVFC. The LVFC areas are protected\naccess to key EPA locations in\n                                   by an access control system, but the system operator \xe2\x80\x93 ORD \xe2\x80\x93 does not administer the\nLas Vegas, Nevada.\n                                   system in a manner that allows LVFC to monitor access to its area. As a result, ORD\n                                   granted personnel access to sensitive LVFC areas without proper authorization.\nBackground\n                                   During our audit of EPA\xe2\x80\x99s financial statements, we found that these problems are not\nEPA occupies space in six\n                                   limited to the LVFC. ORD does not administer the system in a manner that permits\nbuildings on or near the\n                                   the other organizations in Las Vegas supported by the system to monitor access to\nUniversity of Nevada-Las\n                                   their space. Also, ORD did not perform its responsibilities associated with managing\nVegas campus. These buildings\n                                   and administering the computer-controlled card access system supporting all of the\nuse a card access system to\n                                   EPA buildings in Las Vegas.\ncontrol personnel access to\nthese buildings. The Office of\n                                   During subsequent communications with ORD, the office agreed with the findings\nResearch and Development\n                                   and indicated that it planned to negotiate the transfer of the responsibility for the\n(ORD) is responsible for\n                                   maintenance and oversight of the portion of the card access system relied upon by the\nmanaging the process for\n                                   other offices within Las Vegas to one of the other offices.\nauthorizing and removing\npersonnel access to these           What We Recommend\nbuildings and for administering\nthe computer system that           We recommend that the ORD Office of Science Information Management develop\ncontrols the card access system.   and implement procedures to ensure that all organizations are provided with the\nEPA\xe2\x80\x99s Security Management          information necessary to monitor and review the access to their space until one of the\nDivision within the Office of      offices accepts responsibility for oversight and maintenance of the card access\nAdministration and Resources       system. Until ORD completes the transfer, we recommend that each Las Vegas\nManagement is the responsible      office develop and implement a formal procedure that ensures it reviews the access\nand primary agent within EPA       reports provided by ORD for anomalies on at least a monthly basis.\nfor physical security.\n                                   Once one of the offices accepts the responsibility from ORD, we recommend that the\nFor further information, contact   office develop and implement a formal procedure for managing the card access\nour Office of Congressional,       system under its control. After the transfer, we recommend that each of the offices\nPublic Affairs and Management      establish a formal procedure for reviewing and monitoring the access for the space\nat (202) 566-2391.\n                                   used by their office. We also recommend that the Security Management Division\nTo view the full report,           conduct an assessment of the physical security practices at EPA\xe2\x80\x99s Las Vegas\nclick on the following link:       locations and conduct outreach to the Las Vegas offices to provide assistance. EPA\nwww.epa.gov/oig/reports/2010/      agreed with the findings and recommendations.\n20100203-10-P-0059.pdf\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                                        OFFICE OF\n                                                                                   INSPECTOR GENERAL\n\n\n\n\n                                         February 3, 2010\n\nMEMORANDUM\n\nSUBJECT:               EPA Needs to Improve Physical Security at Its Offices in\n                       Las Vegas, Nevada\n                       Report No. 10-P-0059\n\n\nFROM:                  Rudolph M. Brevard\n                       Director, Information Resources Management Assessments\n                       Office of Inspector General\n\nTO:                    See Below\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nThe estimated cost of this report \xe2\x80\x93 calculated by multiplying the project\xe2\x80\x99s staff days by the\napplicable daily full cost billing rates in effect at the time \xe2\x80\x93 is $49,122.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days. Due to the number of offices involved, EPA\xe2\x80\x99s Security\nManagement Division within the Office of Administration and Resources Management has been\ndesignated as the lead office responsible for coordinating a consolidated response to this report.\nYou should include a corrective actions plan for agreed-upon actions, including milestone dates.\nWe have no objections to the further release of this report to the public. This report will be\navailable at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact me at (202) 566-0893\nor brevard.rudy@epa.gov; or Charles Dade, Project Manager, at (202) 566-2575 or\ndade.chuck@epa.gov.\n\x0cAddressees:\n\nTami Franklin\nActing Director, Security Management Division\nOffice of Administration and Resources Management\n\nDan Heggem\nActing Director, National Exposure Research Laboratory\nEnvironmental Sciences Division\nOffice of Research and Development\n\nJack Puzak\nDirector, Office of Science Information Management\nOffice of Research and Development\n\nDany Lavergne\nDirector, Las Vegas Finance Center\nOffice of the Chief Financial Officer\n\nSheron Johnson\nDirector, Human Resources Management Division \xe2\x80\x93 Las Vegas\nOffice of Administration and Resources Management\n\nDennisses Valdes\nDeputy Director, Environmental Response Team \xe2\x80\x93 West\nOffice of Solid Waste and Emergency Response\n\nJed Harrison\nDirector, Radiation and Indoor Environments National Laboratory\nOffice of Air and Radiation\n\x0cEPA Needs to Improve Physical Security                                                                                            10-P-0059\nat Its Offices in Las Vegas, Nevada\n\n\n\n\n                                         Table of Contents \n\nPurpose ................................................................................................................................    1        \n\n\nBackground ..........................................................................................................................       1        \n\n\nScope and Methodology .....................................................................................................                 2        \n\n\nResults of Review ................................................................................................................          2        \n\n\nRecommendations...............................................................................................................              4        \n\n\nAgency Response and OIG Comments .............................................................................                              5\n\n\nStatus of Recommendations and Potential Monetary Benefits.......................................                                            7        \n\n\n\n\nAppendices \n\n    A        Response from Office of Research and Development ......................................                                        9        \n\n\n    B        Response from Las Vegas Finance Center ........................................................                               13    \n\n\n    C        Response from Human Resources Management Division \xe2\x80\x93 Las Vegas..........                                                       15    \n\n\n    D        Response from Environmental Response Team \xe2\x80\x93 West ...................................                                          17    \n\n\n    E        Response from Radiation and Indoor Environments National Laboratory .....                                                     19    \n\n\n    F        Response from Security Management Division .................................................                                  21\n\n\n    G        Distribution ............................................................................................................     22    \n\n\x0c                                                                                                   10-P-0059 \n\n\n\nPurpose\nThe Office of Inspector General (OIG) sought to determine whether the U.S. Environmental\nProtection Agency (EPA) implemented oversight practices for securing access to key EPA\nlocations in Las Vegas, Nevada. We looked at these security issues during our review of EPA\xe2\x80\x99s\nconsolidated financial statements for Fiscal Years 2009 and 2008.\n\nBackground\nEPA occupies space in six buildings on or near the University of Nevada-Las Vegas campus.\nSeveral EPA programs with diverse functions occupy these buildings. Details are in Table 1.\n\nTable 1: EPA Las Vegas Offices and Functions\n Office                         Program Office               Function\n Las Vegas Finance              Office of the Chief          Supports payments for all of EPA\xe2\x80\x99s grant award\n Center                         Financial Officer            offices. Supports the fellowship program by\n                                                             making all fellowship payments and providing\n                                                             additional services such as maintaining\n                                                             completion of studies and payment enrollments.\n Human Resources                Office of Administration     Processes personnel and benefits actions for the\n Management Division \xe2\x80\x93          and Resources                Agency's 17,000 employees. One of EPA\xe2\x80\x99s\n Las Vegas                      Management                   three human resources shared service centers.\n National Exposure              Office of Research and       Conducts research, development, and\n Research Laboratory            Development                  technology transfer programs on environmental\n                                                             exposures to ecological and human receptors.\n Radiation and Indoor           Office of Air and            Protects the public and the environment by\n Environments National          Radiation                    minimizing exposure to radiation and indoor air\n Laboratory                                                  pollution through environmental measurements,\n                                                             applied technologies, and education.\n Environmental                  Office of Solid Waste        Provides assistance in environmental\n Response Team \xe2\x80\x93 West           and Emergency                emergencies. Serves as in-house consultant on\n                                Response                     innovative and emerging technologies and has\n                                                             recognized experts in several fields of science.\nSource: EPA Office of Environmental Information Intranet.\n\n\nThe EPA Las Vegas offices use a card access system to control entry to these buildings. The\nOffice of Research and Development (ORD) is responsible for managing the process for\nauthorizing and removing personnel access to these buildings. ORD is also responsible for\nadministering the computer system that controls the card access system.\n\nThe Standard Operating Procedure for Management/Control of Access to Environmental\nProtection Agency Buildings in Las Vegas, NV, dated February 17, 2004, requires ORD\xe2\x80\x99s\nEnvironmental Sciences Division Programs Operations Staff to: (1) grant access to EPA Las\nVegas facilities based on the fully completed submission of an employee data sheet form LV-172\nwith all appropriate signatures, (2) perform semiannual reviews of all access provided, and\n(3) perform a review of the signatures on the LV-172 whenever the access requirements of a staff\nmember changes.\n\n\n\n                                                        1\n\n\x0c                                                                                       10-P-0059 \n\n\n\n\n\nEPA Order 3210, Physical Security Program, designates the Security Management Division\nwithin the Office of Administration and Resources Management as the responsible and primary\nagent within EPA for physical security. The order requires the division to conduct periodic\nnationwide physical security risk and vulnerability assessments of EPA facilities.\n\nScope and Methodology\nWe performed this audit from June through November 2009 at EPA offices in Las Vegas,\nNevada. We performed this audit in accordance with generally accepted government auditing\nstandards. These standards require that we plan and perform the audit to obtain sufficient and\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on the\naudit objectives. We believe the evidence obtained provides a reasonable basis for our findings\nand conclusions.\n\nWe interviewed EPA officials responsible for overseeing the administration of the Las Vegas\ncard reader system and managing the Las Vegas buildings access processes. We interviewed\nEPA officials responsible for using the card access system reports to monitor personnel access\nthey oversee. We reviewed the Standard Operating Procedures that govern the maintenance and\noversight of the card reader system. We analyzed the card reader system reports provided by\nEPA officials within Las Vegas. We reviewed forms Las Vegas offices use to request personnel\naccess to their building space.\n\nWe had not performed past audits of physical security at EPA Las Vegas offices. Therefore, we\ndid not perform follow-up work on any open recommendations.\n\nResults of Review\nEPA needs to improve physical security at its Las Vegas facilities. In particular, the Las Vegas\nFinance Center\xe2\x80\x99s (LVFC\xe2\x80\x99s) server room and other key areas are susceptible to unauthorized\naccess by personnel not a part of LVFC. The LVFC areas are protected by an access control\nsystem, but the system operator \xe2\x80\x93 ORD \xe2\x80\x93 does not administer the system in a manner that allows\nLVFC to monitor access to its area. In particular, ORD had not obtained authorization from the\nLVFC Director to grant access to key areas to non-LVFC personnel. ORD also had neither\nprovided the LVFC reports detailing who has access to their areas nor performed the required\nsemiannual review of access rights required by ORD procedures. As a result, personnel were\ngranted access to sensitive areas without proper authorization. Problems are not limited to the\nLVFC. ORD does not administer the system in a manner that permits the other EPA\norganizations supported by the system to monitor access to their space.\n\nORD did not perform its responsibilities associated with managing and administering the\ncomputer-controlled card access system supporting all of the EPA buildings in Las Vegas. The\nORD personnel now responsible for this function work within ORD\xe2\x80\x99s Office of Science\nInformation Management. We found that ORD:\n\n\n\n\n                                               2\n\n\x0c                                                                                          10-P-0059 \n\n\n\n   \xe2\x80\xa2\t Did not grant access based on appropriately approved and completed LV-172 forms. Our\n      review of access to a small sample of doors for which the LVFC Director was a required\n      approving official disclosed personnel with access whose forms were not approved by the\n      LVFC Director.\n   \xe2\x80\xa2\t Did not fully complete the LV-172 forms we reviewed.\n   \xe2\x80\xa2\t Did not perform the required semiannual reviews of the card access provided. ORD\n      indicated that the only review performed was back in 2004, and even for that review it\n      could not provide evidence that the review was performed or that any corrective actions\n      were taken based on the review.\n\nAlong with not performing the responsibilities identified above, ORD has not been providing the\nnecessary information to the various EPA organizations serviced by the card access system to\nallow them to monitor and review the access to their space. Radiation and Indoor Environments,\nHuman Resources, and LVFC all indicated that ORD has not provided them with the information\nnecessary to validate personnel who have access to their space. We also found that ORD was not\nresponsive to the offices supported by the card access system. The LVFC Information Security\nOfficer mentioned in a report that she attempted to review the access granted within the card\naccess system but found that the reports provided by ORD were not accurate and complete and\nthat the responses to her requests were not timely. To enable each organization to properly\nmonitor and review the access to its space, ORD needs to provide the following standard reports\nto each organization on a monthly basis:\n\n   \xe2\x80\xa2\t A report showing all of the access groups in Las Vegas that lists for each group (1) each\n      of the doors the group can access, and (2) the days of the week and times that the group\n      can access each of the doors.\n   \xe2\x80\xa2\t A report showing all of the access groups in Las Vegas that lists all of the users, their\n      associated card ID, and the expiration date of the access for each of the users for each\n      group.\n   \xe2\x80\xa2\t For reviewing the logged history of users\xe2\x80\x99 access, a report that shows the: (1) criteria\n      used for the creation of the report, (2) date and time of the access attempt, (3) action\n      taken by the device, (4) location/site, (5) door, (6) user name, and (7) card ID.\n\nAdditionally, ORD needs to be responsive to the organizations\xe2\x80\x99 special requests for reports and\nprovide them in a timely manner.\n\nDuring subsequent communications with ORD, the office agreed with the finding and indicated\nthat it planned to negotiate the transfer of the responsibility for the maintenance and oversight of\nthe portion of the card access system relied upon by the other offices within Las Vegas to one of\nthe other offices. Because this transfer of responsibility will result in a change in the way EPA\nwill be providing physical security to the facilities in Las Vegas, we believe it would be in EPA\xe2\x80\x99s\nbest interest for the Office of Administration and Resources Management\xe2\x80\x99s Security\nManagement Division to conduct a review to ensure the procedures are implemented and\nworking as management intends. Furthermore, in response to the draft report, offices within Las\nVegas felt the Security Management Division should have involvement with ensuring security\nresponsibilities are appropriately transferred within the Las Vegas offices.\n\n\n\n                                                 3\n\n\x0c                                                                                            10-P-0059 \n\n\n\nRecommendations\nWe recommend that the Director, Office of Science Information Management, within the Office\nof Research and Development:\n\n     1.\t Develop and implement procedures to ensure that all organizations are provided with\n         the information necessary to monitor and review the access to their space both if and\n         when the transfer takes place as well as in the interim until the transfer takes place,\n         including:\n             a.\t Providing electronic copies of the following reports to the director of each\n                 organization supported by the system on a monthly basis to enable them to\n                 monitor and review the access to their space.\n                      i.\t A Standard Report showing all of the access groups in Las Vegas that\n                          lists for each group:\n                               1.\t Each of the doors the group can access, and\n                               2.\t The days of the week and times that the group can access each of\n                                   the doors.\n                     ii.\t A Standard Report showing all of the access groups in Las Vegas that\n                          lists all of the users, their associated Card ID, and the expiration date of\n                          the access for each of the users for each group.\n                    iii.\t For reviewing the logged history of users\xe2\x80\x99 access, a standard report that\n                          shows the: (1) criteria used for the creation of the report, (2) date and\n                          time of the access attempt, (3) action taken by the device, (4)\n                          location/site, (5) door, (6) user name, and (7) card ID.\n             b.\t Providing, upon request, the reports as requested by the organizations in a timely\n                 manner (within 2 working days) for special situations.\n\n     2.\t Fully implement the standard operating procedures for the facilities that remain in the\n         card access system for the National Exposure Research Laboratory, Environmental\n         Sciences Division\n\n     3.\t Perform a review to ensure the standard operating procedures are implemented and\n         working and document the review, associated results, and corrective actions taken.\n\nFor the (a) Director, Las Vegas Finance Center, within the Office of the Chief Financial Officer;\n(b) Director, Human Resources Management Division \xe2\x80\x93 Las Vegas, within the Office of\nAdministration and Resources Management; (c) Director, Environmental Response Team \xe2\x80\x93\nWest, within the Office of Solid Waste and Emergency Response; and (d) Director, Radiation\nand Indoor Environments National Laboratory, within the Office of Air and Radiation, we\nrecommend that:\n\n     4.\t If your office accepts the transfer of the responsibility for management and oversight of\n         the card access system, develop and implement formal procedures for managing and\n         overseeing the card access system for all of the facilities/organizations supported by the\n         system. The procedures should include:\n\n\n\n\n                                                  4\n\n\x0c                                                                                         10-P-0059 \n\n\n\n            a.\t Listing steps for granting and removing access to the system.\n            b.\t Providing on a monthly basis the reports noted in Recommendation 1 to the\n                director for each organization supported by the system,\n            c.\t Providing, upon request, the reports as requested by the organizations in a\n                timely manner (within 2 working days) for special situations.\n            d.\t Performing periodic reviews to validate\n                    i.\t the access provided is limited to the access authorized and\n                   ii.\t the access authorized is still needed.\n\n    5.\t Develop and implement a formal procedure to review for anomalies, on a monthly basis,\n        the logs and access reports provided by the Office of Science Information Management,\n        within the Office of Research and Development, that are associated with the current\n        card access system for the space used by its office.\n\n    6.\t Once responsibility for overseeing the card access system is transferred, develop and\n        implement a formal procedure for reviewing and monitoring the access for the space\n        used by its office. The procedure should include continuing to review system logs and\n        reports on a monthly basis for anomalies, as well as verifying at least annually that all\n        users associated with the office space still need their current access.\n\nWe recommend the Director, Security Management Division, within the Office of\nAdministration and Resources Management:\n\n    7.\t Schedule and conduct an assessment of the physical security practices at EPA\xe2\x80\x99s\n        Las Vegas locations to make sure the procedures are implemented and working as\n        management intends.\n\n    8.\t Conduct outreach to EPA offices within Las Vegas and provide technical assistance, as\n        required, to ensure security responsibilities and practices meet Agency requirements.\n\nAgency Response and OIG Comments\nThe Agency agreed with our findings and provided tentative corrective action plans to address\nour recommendations. However, we noted the offices indicated differences in when they felt the\ntransfer of the responsibility for management and oversight of the card access system would\noccur. ORD estimated that the transfer would take place on July 31, 2010, whereas the other\noffices estimated it would take place no later than March 31, 2010.\n\nORD indicated that in December 2009 it implemented corrective actions that address\nRecommendation 1. The corrective actions described appear to address our concerns and we\nclosed this recommendation in our audit tracking system.\n\nWe also noted that the Security Management Division will schedule and conduct its assessment\nupon notification that the offices have completed the procedures required in response to\nRecommendations 1 through 6.\n\n\n\n\n                                                5\n\n\x0c                                                                                        10-P-0059 \n\n\n\nAdditionally, both the (a) Human Resources Management Division \xe2\x80\x93 Las Vegas, within the\nOffice of Administration and Resources Management, and the (b) Radiation and Indoor\nEnvironments National Laboratory, within the Office of Air and Radiation requested that the\nSecurity Management Division be involved, provide technical advice, and assist with the transfer\nand implementation of the door access system into the LaPlaza offices.\n\nWe believe that EPA should have one lead office serve as the coordinator for ensuring the\nredistribution of security responsibilities at its Las Vegas offices. This should help to ensure\neach office\xe2\x80\x99s planned corrective actions are properly aligned and that all agreed-to actions are\ntracked through completion. We request that the EPA\xe2\x80\x99s Security Management Division, the\nprimary agent within EPA for physical security, coordinate the final consolidated response to this\nreport and the division agreed to do so. We also modified the report to request that the Security\nManagement Division conduct outreach to those Las Vegas offices that need assistance in\nestablishing security practices and the division agreed to do so.\n\nAppendices A through F contain the complete responses provided by each office.\n\n\n\n\n                                                6\n\n\x0c                                                                                                                                             10-P-0059\n\n\n\n                                  Status of Recommendations and\n                                    Potential Monetary Benefits\n\n                                                                                                                                         POTENTIAL MONETARY\n                                                       RECOMMENDATIONS                                                                    BENEFITS (in $000s)\n\n                                                                                                                             Planned\nRec.   Page                                                                                                                 Completion   Claimed    Agreed To\nNo.     No.                          Subject                            Status1              Action Official                   Date      Amount      Amount\n\n 1      4     Develop and implement procedures to ensure that             O       Director, National Exposure Research\n              all organizations are provided with the information                  Laboratory, Environmental Sciences\n              necessary to monitor and review the access to                       Division, within Office of Research and\n              their space both if and when the transfer takes                                   Development\n              place as well as in the interim until the transfer\n              takes place, including:\n                 a. Providing electronic copies of the following\n                     reports to the director of each organization\n                     supported by the system on a monthly basis\n                     to enable them to monitor and review the\n                     access to its space.\n                      i. A Standard Report showing all of the\n                          access groups in Las Vegas that lists for\n                          each group:\n                              1. Each of the doors the group can\n                                  access, and\n                              2. The days of the week and times\n                                  that the group can access each of\n                                  the doors.\n                     ii. A Standard Report showing all of the\n                          access groups in Las Vegas that lists all\n                          of the users, their associated Card ID, and\n                          the expiration date of the access for each\n                          of the users for each group.\n                     iii. For reviewing the logged history of users\xe2\x80\x99\n                          access, a standard report that shows the:\n                          (1) criteria used for the creation of the\n                          report, (2) date and time of the access\n                          attempt, (3) action taken by the device,\n                          (4) location/site, (5) door, (6) user name,\n                          and (7) card ID.\n                 b. Providing, upon request, the reports as\n                     requested by the organizations in a timely\n                     manner (within 2 working days) for special\n                     situations.\n\n 2      4     Fully implement the standard operating procedures           O       Director, National Exposure Research\n              for the facilities that remain in the card access                    Laboratory, Environmental Sciences\n              system for the National Exposure Research                           Division, within Office of Research and\n              Laboratory, Environmental Sciences Division                                       Development\n\n 3      4     Perform a review to ensure the standard operating           O       Director, National Exposure Research\n              procedures are implemented and working and                           Laboratory, Environmental Sciences\n              document the review, associated results, and                        Division, within Office of Research and\n              corrective actions taken.                                                         Development\n\n\n\n\n                                                                                    7\n\n\x0c                                                                                                                                                      10-P-0059\n\n\n                                                                                                                                                  POTENTIAL MONETARY\n                                                           RECOMMENDATIONS                                                                         BENEFITS (in $000s)\n\n                                                                                                                                      Planned\n    Rec.   Page                                                                                                                      Completion   Claimed    Agreed To\n    No.     No.                          Subject                           Status1                 Action Official                      Date      Amount      Amount\n\n     4       4\t    If your office accepts the transfer of the                O        (a) Director, Las Vegas Finance Center,\n                   responsibility for management and oversight of the                within Office of the Chief Financial Officer;\n                   card access system, develop and implement                              (b) Director, Human Resources\n                   formal procedures for managing and overseeing                     Management Division \xe2\x80\x93 Las Vegas, within\n                   the card access system for all of the                              Office of Administration and Resources\n                   facilities/organizations supported by the system.                               Management;\n                   The procedures should include:\n                       a. Listing steps for granting and removing                      (c) Director, Environmental Response\n                           access to the system.                                     Team \xe2\x80\x93 West, within Office of Solid Waste\n                       b. Providing on a monthly basis the reports                         and Emergency Response; and\n                           noted in Recommendation 1 to the director                    (d) Director, Radiation and Indoor\n                           for each organization supported by the                    Environments National Laboratory, within\n                           system,                                                          Office of Air and Radiation\n                       c. Providing, upon request, the reports as\n                           requested by the organizations in a timely\n                           manner (within 2 working days) for special\n                           situations.\n                       d. Performing periodic reviews to validate\n                              i. the access provided is limited to the\n                                 access authorized and\n                             ii. the access authorized is still needed.\n     5       5\t    Develop and implement a formal procedure to               O        (a) Director, Las Vegas Finance Center,\n                   review for anomalies, on a monthly basis, the logs                within Office of the Chief Financial Officer;\n                   and access reports provided by the Office of                           (b) Director, Human Resources\n                   Science Information Management, within the Office                 Management Division \xe2\x80\x93 Las Vegas, within\n                   of Research and Development, that are associated                   Office of Administration and Resources\n                   with the current card access system for the space                               Management;\n                   used by its office.\n                                                                                       (c) Director, Environmental Response\n                                                                                     Team \xe2\x80\x93 West, within Office of Solid Waste\n                                                                                           and Emergency Response; and\n                                                                                        (d) Director, Radiation and Indoor\n                                                                                     Environments National Laboratory, within\n                                                                                            Office of Air and Radiation\n\n     6       5\t    Once responsibility for overseeing the card access        O        (a) Director, Las Vegas Finance Center,\n                   system is transferred, develop and implement a                    within Office of the Chief Financial Officer;\n                   formal procedure for reviewing and monitoring the                      (b) Director, Human Resources\n                   access for the space used by its office. The                      Management Division \xe2\x80\x93 Las Vegas, within\n                   procedure should include continuing to review                      Office of Administration and Resources\n                   system logs and reports on a monthly basis for                                  Management;\n                   anomalies, as well as verifying at least annually\n                   that all users associated with the office space still               (c) Director, Environmental Response\n                   need their current access.                                        Team \xe2\x80\x93 West, within Office of Solid Waste\n                                                                                           and Emergency Response; and\n                                                                                        (d) Director, Radiation and Indoor\n                                                                                     Environments National Laboratory, within\n                                                                                            Office of Air and Radiation\n\n     7       5     Schedule and conduct an assessment of the                 O       Director, Security Management Division,\n                   physical security practices at EPA\xe2\x80\x99s Las Vegas                       within Office of Administration and\n                   locations to make sure the procedures are                                 Resources Management\n                   implemented and working as management intends.\n\n     8       5     Conduct outreach to EPA offices within Las Vegas          O       Director, Security Management Division,\n                   and provide technical assistance, as required, to                    within Office of Administration and\n                   ensure security responsibilities and practices meet                       Resources Management\n                   Agency requirements.\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n                                                                                         8\n\n\x0c                                                                                         10-P-0059 \n\n\n\n\n\n                                                                                     Appendix A\n\n                         Response from Office of \n\n                        Research and Development \n\n\n\n                                         January 8, 2010\n\n\n\n\nMEMORANDUM\n\n\nSUBJECT: \t Response and Corrective Action Plan For OIG Draft Report\n           Entitled: \xe2\x80\x9cEPA Needs to Improve Physical Security at Its Offices in Las Vegas,\n           Nevada\xe2\x80\x9d Assignment No. OA-FY09-0842\n\nFROM:          Daniel Heggem /s/ Daniel T. Heggem\n               Acting Director, Environmental Sciences Division\n               National Exposure Research Laboratory\n               Office of Research and Development\n\n               Jack Puzak /s/ Christopher S. Robbins for\n               Director, Office of Science Information Management\n               Office of Research and Development\n\nTO: \t          Rudolph M. Brevard, Director\n               Information Resources Management Assessments\n               Office of Inspector General\n\n       Thank you for the opportunity to review and comment on the subject draft report. We\ngenerally agree with the findings contained in the draft report and are taking steps to address\neach of the three recommendations.\n\n         As previously stated in our response to the position paper, since the creation of the 2004\nStandard Operating Procedure (SOP) for card access referenced in the IG report, the number and\nlocation of EPA staff in Las Vegas has increased significantly at the off-campus La Plaza\nfacility. On campus EPA staff includes ORD and a few OAR lab staff. Therefore, we believe\nthat the AA-ships (OSWER, OARM, OCFO, and OAR) located off-campus on Maryland\nParkway, should make minor modifications to their existing system and operate and maintain\naccess control independently of ORD's system. During the last Las Vegas Directors\xe2\x80\x99 meeting,\nlocal management from the other AAships agreed on this approach and a contract action has\n\n\n                                                 9\n\n\x0c                                                                                            10-P-0059 \n\n\n\nbeen initiated to establish a separate access system. With this in mind, we plan to address the\nOIG\xe2\x80\x99s recommendations by implementing the corrective actions set forth in the attachment and\nsummarized below.\n\n         In addition, due to organizational and staffing changes within ORD, the recently\nestablished ORD \xe2\x80\x9cOffice of Science Information Management\xe2\x80\x9d (OSIM) will have the primary\nresponsibility for implementing the corrective actions described below. NERL/ESD\nmanagement will work with staff in ORD/OSIM to facilitate implementation of the corrective\nactions.\n\nRecommendation 1: \n\nDevelop and implement procedures to ensure that all organizations are provided with the \n\ninformation necessary to monitor and review the access to their space both if and when the \n\ntransfer takes place as well as in the interim until the transfer takes place, including: \n\n        a. Providing electronic copies of the following reports to the director of each organization\n        supported by the system on a monthly basis to enable them to monitor and review the\n        access to their space.\n                i. A Standard Report showing all of the access groups in Las Vegas that lists for\n                each group:\n                         1. Each of the doors the group can access, and\n                         2. The days of the week and times that the group can access each of the\n                         doors.\n                ii. A Standard Report showing all of the access groups in Las Vegas that lists all\n                of the users, their associated Card ID, and the expiration date of the access for\n                each of the users for each group.\n                iii. For reviewing the logged history of users\xe2\x80\x99 access, a standard report that shows\n                the: (1) criteria used for the creation of the report, (2) date and time of the access\n                attempt, (3) action taken by the device, (4) location/site, (5) door, (6) user name,\n                and (7) card ID.\n        b. Providing, upon request, the reports as requested by the organizations in a timely\n        manner (within 2 working days) for special situations.\n\nCorrective Action:\nWe concur with the finding. As of December 2009, the procedures developed and contained in\nthe existing SOP are being followed and implemented. Additionally, when the next quarterly co\xc2\xad\nlocated Directors\xe2\x80\x99 meeting is held, the NERL/ESD Division Director will confirm with the other\ndirectors that they are receiving the necessary reports. This process will continue until the other\norganizations have their stand-alone system. A contract action has been initiated to establish a\nseparate card access system. The separate system is expected to be in place by July 31, 2010.\n\nORD/OSIM has distributed two reports entitled \xe2\x80\x9cUser-all by access group\xe2\x80\x9d and \xe2\x80\x9caccess group\xe2\x80\x9d\nto all Las Vegas Division Directors. These reports will continue to be distributed on a monthly\nbasis. These Standard Reports show all of the access groups in Las Vegas and, for each group,\nlist all OIG recommended information. These reports will continue to be distributed to all\nDivision Directors until the transfer takes place at which time the report will be distributed to\n\n\n\n\n                                                 10 \n\n\x0c                                                                                         10-P-0059 \n\n\n\nonly the ESD Division Director. All special reports \xe2\x80\x9cupon request\xe2\x80\x9d will be provided in a timely \n\nmanner for special situations. \n\n\nRecommendation 2: \n\nFully implement the standard operating procedures for the facilities that remain in the card \n\naccess system for the National Exposure Research Laboratory, Environmental Sciences Division \n\n\nCorrective Action: \n\nWe concur with the finding. The SOP will be fully implemented for the ESD-LV facility within \n\n3 months of the completion of the transfer. \n\n\n\nRecommendation 3\nPerform a review to ensure the standard operating procedures are implemented and working and\ndocument the review, associated results, and corrective actions taken.\n\nCorrective Action:\nWe concur with the finding. For the facilities that remain on the NERL/ESD card access system,\nwe will perform a review within 6 months after the updated standard operating procedures are\ncompleted to ensure the procedures are being followed. The results of the review will be\ndocumented.\n\nThank you again for the opportunity to address the findings contained in the subject draft report.\nPlease feel free to contact Chris Sibert at (702) 798-2234 if you have any questions.\n\n\n\nAttachment\n\n\ncc:\nJewel Morris\nMarshall Gray\nChristopher Sibert\nCaroline Parton\nArdra Morgan Kelly\n\n\n\n\n                                                11 \n\n\x0c                                                                                                                   10-P-0059 \n\n\n\n\nRec.           OIG Recommendation                   Responsible                    Corrective Action                       Planned\nNo.                                                   Office                                                              Completion\n                                                                                                                             Date\n       Develop and implement procedures to          ORD/OSIM        We concur with the finding.                          Complete\n       ensure that all organizations are\n       provided with the information                                As of December 2009, the procedures developed\n       necessary to monitor and review the                          and contained in the existing SOP are being\n       access to their space both if and when                       followed and implemented. Additionally, when\n       the transfer takes place as well as in the                   the next quarterly co-located Directors\xe2\x80\x99 meeting\n       interim until the transfer takes place,                      is held, the NERL/ESD Division Director will\n       including:                                                   confirm with the other directors that they are\n       a. Providing electronic copies of the                        receiving the necessary reports. This process\n       following reports to the director of each                    will continue until the other organizations have\n       organization supported by the system                         their stand-alone system. A contract action has\n       on a monthly basis to enable them to                         been imitated to establish a separate card access\n       monitor and review the access to their                       system. The separate system is expected to be in\n       space.                                                       place by July 31, 2010.\n       i. A Standard Report showing all of the\n       access groups in Las Vegas that lists\n       for each group:                                              ORD/OSIM has distributed two reports entitled\n       1. Each of the doors the group can                           \xe2\x80\x9cUser-all by access group\xe2\x80\x9d and \xe2\x80\x9c access group\xe2\x80\x9d\n 1     access, and                                                  to all Las Vegas Division Directors. These\n       2. The days of the week and times that                       reports will continue to be distributed on a\n       the group can access each of the doors.                      monthly basis. These Standard Reports show all\n       ii. A Standard Report showing all of the                     of the access groups in Las Vegas and, for each\n       access groups in Las Vegas that lists all                    group, list all OIG recommended information.\n       of the users, their associated Card ID,                      These reports will continue to be distributed to\n       and the expiration date of the access for                    all Division Directors until the transfer takes\n       each of the users for each group.                            place at which time the report will be distributed\n       iii. For reviewing the logged history of                     to only the ESD Division Director.\n       users\xe2\x80\x99 access, a standard report that\n       shows the: (1) criteria used for the                         All special reports \xe2\x80\x9cupon request\xe2\x80\x9d will be\n       creation of the report, (2) date and time                    provided in a timely manner for special\n       of the access attempt, (3) action taken                      situations.\n       by the device, (4) location/site, (5)\n       door, (6) user name, and (7) card ID.\n       b. Providing, upon request, the reports\n       as requested by the organizations in a\n       timely manner (within 2 working days)\n       for special situations.\n       Fully implement the standard operating       ORD/OSIM        We concur with the finding. The SOP will be          October 2010\n       procedures for the facilities that remain                    fully implemented for the ESD-LV facility\n       in the card access system for the                            within 3 months of the completion of the\n 2\n       National Exposure Research                                   transfer.\n       Laboratory, Environmental Sciences\n       Division.\n       Perform a review to ensure the standard      ORD/OSIM        We concur with the finding. For the facilities       April 2011\n       operating procedures are implemented                         that remain on the NERL/ESD card access\n       and working and document the review,                         system, we will perform a review within\n 3     associated results, and corrective                           6 months after the updated standard operating\n       actions taken.                                               procedures are completed to ensure the\n                                                                    procedures are being followed. The results of the\n                                                                    review will be documented.\n\n\n\n\n                                                                  12 \n\n\x0c                                                                                       10-P-0059 \n\n\n\n                                                                                   Appendix B\n\n           Response from Las Vegas Finance Center\n\n\n\n\n                                        January 7, 2010\n\n\nMEMORANDUM\n\nSUBJECT:\t Las Vegas Finance Center Response to OIG Draft Audit Report, \xe2\x80\x9cEPA Needs to\n          Improve Physical Security at Its Offices in Las Vegas, Nevada,\xe2\x80\x9d Assignment No.\n          OA-FY09-0842, dated December 11, 2009\n\nFROM:\t        Dany Lavergne, Director\n              Las Vegas Finance Center\n\nTO:\t          Rudolph M. Brevard\n              Director, Information Resources Management Assessments\n              Office of Inspector General\n\n\nBelow is LVFC\xe2\x80\x99s response to the subject Audit Report. We concur with all of the IG\xe2\x80\x99s\nrecommendations for LVFC and will implement the required corrective actions. Details on the\nrecommendations pertaining to LVFC are provided below.\n\nWe appreciate the opportunity to review and comment on the draft report. If you have any\nquestions or need additional information, please call me at (702) 798-2483.\n\n\nRecommendation #4: If your office accepts the transfer of the responsibility for management\nand oversight of the card access system, develop and implement formal procedures for managing\nand overseeing the card access system for all of the facilities/organizations supported by the\nsystem.\n\nLVFC Response: The EPA La Plaza offices are currently working with ORD to transfer\nmanagement of the La Plaza card access system as quickly as possible; the target transfer date is\nno later than March 31, 2010. LVFC will work with the other La Plaza offices to ensure that\nformal procedures for management and oversight are completed within 90 days after the transfer.\n\nRecommendation #5: Develop and implement a formal procedure to review for anomalies, on a\nmonthly basis, the logs and access reports provided by the National Exposure Research\n\n\n                                               13 \n\n\x0c                                                                                        10-P-0059 \n\n\n\nLaboratory, Environmental Sciences Division, that are associated with the current card access\nsystem for the space used by their office.\n\nLVFC Response: LVFC currently has procedures for reviewing the logs and reports when they\nare received, but they are not formally documented. A formal procedure will be developed by\nJanuary 29, 2010.\n\nRecommendation #6: Once responsibility for overseeing the card access system is transferred,\ndevelop and implement a formal procedure for reviewing and monitoring the access for the space\nused by their office. The procedure should include continuing to review system logs and reports\non a monthly basis for anomalies, as well as verifying at least annually that all users associated\nwith the office space still need their current access.\n\nLVFC Response: The EPA La Plaza offices are currently working with ORD to transfer\nmanagement of the La Plaza card access system as quickly as possible; the target transfer date is\nno later than March 31, 2010. LVFC will develop and implement a procedure for reviewing and\nmonitoring access to LVFC space within 90 days after the transfer.\n\n\n\n\ncc:    R\n       \t affael Stein\n       Melvin Visnick\n       Kechi Elliott\n       Shelly Norland\n       Peter Boudreau\n       Charles Dade\n\n\n\n\n                                               14 \n\n\x0c                                                                                      10-P-0059 \n\n\n\n                                                                                  Appendix C\n\n       Response from Human Resources Management\n                   Division \xe2\x80\x93 Las Vegas\n\n\n\n\n                                        January 8, 2010\n\n\nMEMORANDUM\n\nSUBJECT:\t Human Resources Management Division \xe2\x80\x93 Las Vegas Response to OIG Draft\n          Audit Report, \xe2\x80\x9cEPA Needs to Improve Physical Security at Its Offices in Las\n          Vegas, Nevada, Assignment No. OA-FY-09-0842, dated December 11, 2009\n\nFROM: \t       Sheron E. Johnson, Director\n              Human Resources Management Division \xe2\x80\x93 Las Vegas\n\nTO:\t          Rudolph M. Brevard\n              Director, Information Resources Management Assessments\n              Office of Inspector General\n\n\nBelow is HRMD-LV response to the subject Audit Report. We concur with all of the IG\xe2\x80\x99s\nrecommendations for HRMD-LV and will implement the required corrective actions. Details on\nthe recommendations pertaining to HRMD-LV are provided below.\n\nWe appreciate the opportunity to review and comment on the draft report. If you have any\nquestions or need additional information, please call me at (702) 798-2413.\n\nRecommendation #4: If your office accepts the transfer of the responsibility for management\nand oversight of the card access system, develop and implement formal procedures for managing\nand overseeing the card access system for all of the facilities/organizations supported by the\nsystem.\n\nHRMD-LV Response: The EPA La Plaza offices are currently working with ORD to transfer\nmanagement of the La Plaza card access system. The target date is no later than March 31, 2010.\nHRMD-LV will work with the other La Plaza offices to ensure that formal procedures for\nmanagement and oversight are completed within 90 days after the transfer.\n\n\n\n\n                                              15 \n\n\x0c                                                                                        10-P-0059 \n\n\n\nRecommendation #5: Develop and implement a formal procedure to review for anomalies, on a\nmonthly basis, the logs and access reports provided by the National Exposure Research\nLaboratory, Environmental Sciences Division, that are associated with the current card access\nsystem for the space used by their office.\n\nHRMD-LV Response: HRMD-LV has procedures for reviewing the logs and reports when\nthey are received, but they are not formally documented. A formal procedure will be developed\nby January 29, 2010.\n\nRecommendation #6: Once responsibility for overseeing the card access system is transferred,\ndevelop and implement a formal procedure for reviewing and monitoring the access for the space\nused by their office. The procedure should include continuing to review system logs and reports\non a monthly basis for anomalies, as well as verifying at least annually that all users associated\nwith the office space still need their current access.\n\nHRMD-LV Response: The EPA La Plaza offices are currently working with ORD to transfer\nmanagement of the La Plaza card access system as quickly as possible; the transfer date is no\nlater than March 31, 2010. HRMD-LV will develop and implement a procedure for reviewing\nand monitoring access to the HRMD-LV space within 90 days after the transfer.\n\nRecommendation #7: Schedule and conduct an assessment of the physical security practices at\nEPA\xe2\x80\x99s Las Vegas locations to make sure the procedures are implemented and working as\nmanagement intends.\n\nHRMD-LV Response: HRMD-LV would like for Security Management Division to be\ninvolved and assist with the migration of La Plaza Building A into a separate system that is\nmanaged by OAR/R&IE, The system should be integrated with the EPA Official Identification\nCard (EPASS). HRMD-LV would like for Security Management Division to provide technical\nadvice, options for optimal service and performance, and guidance for becoming HSPD-12\ncompliant.\n\ncc: \t   Susan Kantrowitz\n        Matt Crouch\n        Marsha Bush\n        Fernando Gomez\n        Chuck Dade\n\n\n\n\n                                               16 \n\n\x0c                                                                                        10-P-0059 \n\n\n\n                                                                                    Appendix D\n\n                     Response from Environmental\n                        Response Team \xe2\x80\x93 West\n\n\n\nMEMORANDUM\n\nSUBJECT:\t Response to OIG Draft Audit Report, \xe2\x80\x9cEPA Needs to Improve Physical Security\n          at Its Offices in Las Vegas, Nevada,\xe2\x80\x9d Assignment No. OA-FY09-0842, dated\n          December 11, 2009 - from Environmental Response Team - West\n\nFROM:\t         Dennisses Vald\xc3\xa9s, Deputy Director\n               Environmental Response Team-West\n\nTO:\t           Rudolph M. Brevard\n               Director, Information Resources Management Assessments\n               Office of Inspector General\n\n\nWe appreciate the opportunity to review and comment on the draft Audit Report. One correction\nneeded in the report is the name of my organization. It is the Environmental Response Team.\nThis is erroneously called emergency on pages 1,2,4, and three times on page 7.\n\nWe concur with the IG\xe2\x80\x99s recommendations pertaining to ERT-W and will implement the\nrequired corrective actions. Below is the response to the ERT-W recommendations.\n\nIf you have any questions or need additional information, please call me at (702) 784-8003.\n\n                                              ###\n\nRecommendation #4: If your office accepts the transfer of the responsibility for management\nand oversight of the card access system, develop and implement formal procedures for managing\nand overseeing the card access system for all of the facilities/organizations supported by the\nsystem.\n\nERT-W Response: The EPA La Plaza offices are currently working with ORD to transfer\nmanagement of the La Plaza card access system as quickly as possible; the target transfer date is\nno later than March 31, 2010. ERT-W will work with the other EPA La Plaza offices to ensure\nthat formal procedures for management and oversight are completed within 90 days after the\ntransfer.\n\n\n\n\n                                               17 \n\n\x0c                                                                                        10-P-0059 \n\n\n\nRecommendation #5: Develop and implement a formal procedure to review for anomalies, on a\nmonthly basis, the logs and access reports provided by the National Exposure Research\nLaboratory, Environmental Sciences Division, that are associated with the current card access\nsystem for the space used by their office.\n\nERT-W Response: ERT-W currently reviews the logs and reports when they are received,\nprocedures for the review are not formally documented. A formal procedure will be developed\nby January 29, 2010.\n\nRecommendation #6: Once responsibility for overseeing the card access system is transferred,\ndevelop and implement a formal procedure for reviewing and monitoring the access for the space\nused by their office. The procedure should include continuing to review system logs and reports\non a monthly basis for anomalies, as well as verifying at least annually that all users associated\nwith the office space still need their current access.\n\nERT-W Response: The EPA La Plaza offices are currently working with ORD to transfer\nmanagement of the EPA La Plaza portion of the card access system as quickly as possible; the\ntarget transfer date is no later than March 31, 2010. ERT-W, with the other EPA La Plaza\noffices, will develop and implement a procedure for reviewing and monitoring access to ERT-W\nspace within 90 days of the transfer.\n\ncc: \t   Dany Lavergne, LVFC\n        Jed Harrison, R&IE\n        Sheron Johnsons, LVHRO\n        Joe Lavergne, ERT-W\n        Dave Wright, ERT\n\n\n\n\n                                               18 \n\n\x0c                                                                                       10-P-0059 \n\n\n\n                                                                                   Appendix E\n\n                Response from Radiation and \n\n           Indoor Environments National Laboratory \n\n\n\n\n                                        January 11, 2010\n\n\nMEMORANDUM\n\nSUBJECT:      Radiation and Indoor Environments National Laboratory\xe2\x80\x99s Response to\n              OIG Draft Audit Report, \xe2\x80\x9cEPA Needs to Improve Physical Security at Its Offices\n              in Las Vegas, Nevada,\xe2\x80\x9d Assignment No. OA-FY09-0842, dated December 11,\n              2009\n\nFROM:         Jed Harrison, Director\n              Radiation and Indoor Environments National Laboratory\n\nTO:           Rudolph M. Brevard\n              Director, Information Resources Management Assessments\n              Office of Inspector General\n\n\nBelow is R&IE\xe2\x80\x99s response to the subject Audit Report. We concur with all of the IG\xe2\x80\x99s\nrecommendations for R&IE and will implement the required corrective actions. Details on the\nrecommendations pertaining to R&IE are provided below.\n\nWe appreciate the opportunity to review and comment on the draft report. If you have any\nquestions or need additional information, please call me at (702) 784-8220.\n\n\nRecommendation #4: If your office accepts the transfer of the responsibility for management\nand oversight of the card access system, develop and implement formal procedures for managing\nand overseeing the card access system for all of the facilities/organizations supported by the\nsystem.\n\nR&IE Response: The EPA La Plaza offices are currently working with ORD to transfer\nmanagement of the La Plaza card access system as quickly as possible; the target transfer date is\nno later than March 31, 2010. R&IE will work with the other La Plaza offices to ensure that\nformal procedures for management and oversight are completed within 90 days after the transfer.\n\n\n\n\n                                               19 \n\n\x0c                                                                                        10-P-0059 \n\n\n\nRecommendation #5: Develop and implement a formal procedure to review for anomalies, on a\nmonthly basis, the logs and access reports provided by the National Exposure Research\nLaboratory, Environmental Sciences Division, that are associated with the current card access\nsystem for the space used by their office.\n\nR&IE Response: R&IE currently has procedures for reviewing the logs and reports when they\nare received, but they are not formally documented. A formal procedure will be developed by\nJanuary 29, 2010.\n\nRecommendation #6: Once responsibility for overseeing the card access system is transferred,\ndevelop and implement a formal procedure for reviewing and monitoring the access for the space\nused by their office. The procedure should include continuing to review system logs and reports\non a monthly basis for anomalies, as well as verifying at least annually that all users associated\nwith the office space still need their current access.\n\nR&IE Response: The EPA La Plaza offices are currently working with ORD to transfer\nmanagement of the La Plaza card access system as quickly as possible; the target transfer date is\nno later than March 31, 2010. R&IE will develop and implement a procedure for reviewing and\nmonitoring access to R&IE space within 90 days after the transfer.\n\nRecommendation #7: Schedule and conduct an assessment of the physical security practices at\nEPA\xe2\x80\x99s Las Vegas locations to make sure the procedures are implemented and working as\nmanagement intends.\n\nR&IE Response: R&IE would like for Security Management Division to be involved and assist\nwith the transfer and implementation of the Door Access System into the LaPlaza Office,\nincluding technical advice, options for optimal service and performance, guidance for becoming\nHSPD-12 compliant. Additionally, R&IE would like the Security Management Division to\nprovide an assessment of Building E at LaPlaza, as well as assistance with aligning the Building\nE system with EPA IT procedures and protocols; and guidance in managing different systems\nthat perform the same function or integrate into one system.\n\n\n\ncc:    G\n       \t ina Costantino\n       Andrea Sibert\n       Fernando Gomez\n       Dany Lavergne\n       Dennisses Valdes\n       Sheron Johnson\n\n\n\n\n                                               20 \n\n\x0c                                                                                       10-P-0059 \n\n\n\n                                                                                   Appendix F\n\n       Response from Security Management Division\n\n\n\n                                     January 8, 2010\n\nMEMORANDUM\n\nSUBJECT:\t Response to Draft Audit Report OA-FY09-0842\n\nFROM:\t        Tami Franklin, Acting Director\n              Security Management Division\n              Office of Administration and Resources Management\n\nTO:\t          Rudolph M. Brevard, Director\n              Information Resources Management Assessments\n              Office of Inspector General\n\n       Thank you for the opportunity to comment on the Office of Inspector General\xe2\x80\x99s Draft\nAudit Report (\xe2\x80\x9cReport\xe2\x80\x9d) of December 11, 2009: \xe2\x80\x9cEPA Needs to Improve Physical Security at Its\nOffices in Las Vegas, Nevada.\xe2\x80\x9d\n\n       The Security Management Division (SMD) concurs with the Report\xe2\x80\x99s recommendations\nand has no additional comments. Below is SMD\xe2\x80\x99s plan for completing Recommendation 7.\nPlease note that specific completion dates for Recommendation 7 are dependent on completion\nof Recommendations 1-6 by other EPA organizations.\n\n       Recommendation 7: \xe2\x80\x9cSchedule and conduct an assessment of the physical security\n       practices at EPA\xe2\x80\x99s Las Vegas locations to make sure the procedures are implemented\n       and working as management intends.\xe2\x80\x9d\n\n       SMD will schedule an assessment of the physical security practices at EPA\xe2\x80\x99s Las Vegas\n       locations within 3 months of being notified that the procedures in Recommendations 1-6\n       of the Report have been completed. We will conduct the assessment to make sure the\n       procedures are implemented and working as management intends within 6 months of\n       being notified that the procedures in Recommendations 1-6 have been completed.\n\n    Again, we appreciate this opportunity to review the Report. If you have additional questions,\nplease contact me at 202-564-9218.\n\n\n\n\n                                               21 \n\n\x0c                                                                                    10-P-0059\n\n\n                                                                                Appendix G\n\n                                    Distribution\n\nOffice of the Administrator\nChief Financial Officer\nAssistant Administrator for Research and Development\nAssistant Administrator for Administration and Resources Management\nAssistant Administrator for Solid Waste and Emergency Response\nAssistant Administrator for Air and Radiation\nDirector, Las Vegas Finance Center, Office of the Chief Financial Officer\nActing Director, National Exposure Research Laboratory, Environmental Sciences Division,\n       Office of Research and Development\nDirector, Office of Science Information Management, Office of Research and Development\nDirector, Human Resources Management Division \xe2\x80\x93 Las Vegas, Office of Administration and\n       Resources Management\nActing Director, Security Management Division, Office of Administration and\n       Resources Management\nDeputy Director, Environmental Response Team \xe2\x80\x93 West, Office of Solid Waste and\n       Emergency Response\nDirector, Radiation and Indoor Environments National Laboratory, Office of Air and Radiation\nAgency Follow-up Official (the CFO)\nAgency Follow-up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nAudit Follow-up Coordinator, Office of the Chief Financial Officer\nAudit Follow-up Coordinator, Office of Research and Development\nAudit Follow-up Coordinator, Office of Administration and Resources Management\nAudit Follow-up Coordinator, Office of Solid Waste and Emergency Response\nAudit Follow-up Coordinator, Office of Air and Radiation\nActing Inspector General\n\n\n\n\n                                             22 \n\n\x0c"